January 27, 2001, 11:44 AM — To administer a Windows 2000-based network, you need to be grounded in Windows 2000's new directory service, Active Directory (AD). This week and next, I'll describe the components that make up AD. In future installments, I'll discuss its benefits in detail.
New directory service functionality for Windows servers
Like all directory services, AD is a database that centralizes the data and instructions that user applications need to communicate over a network. User identification, configuration, and site information are examples of stored data.
AD replaces NT's SAM (security accounts manager) database with an extensible and highly scalable database that follows X.500 standards. It is accessible via LDAP, and utilizes DNS, instead of WINS, for name resolution. DNS requires TCP/IP; therefore, Active Directory requires TCP/IP.
This new networking model allows administrators to manage Windows 2000 environments in ways that weren't possible under NT 4.0. Windows 2000 Server, Advanced Server, and Datacenter Server all provide Active Directory services.
Let's take a look at AD's component hierarchy.
At AD's lowest level are objects, which are composed of attributes (see Figure 1).
Objects can be anything from user accounts to file shares, printer shares, or DFS roots. Shares are a way of making resources available on the network; an example of a file share is
\\servername\sharename. DFS roots, which with which you can hide a underlying network infrastructure from users, help simplify system management.
The schema contains definitions of every possible object type, corresponding attributes, and the data types that attributes can be composed of. An object
user, for example, might have
An object or attribute cannot exist if it is not first defined within the schema.
You can use organizational units (OUs) -- basically containers within which you group objects logically -- to delegate administrative functions (see Figure 1). For example, you could create an OU called Accounting and then assign its administrator the rights to add users and change passwords within it -- but nowhere else!